Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 14:06
Behavioral task
behavioral1
Sample
241e21d6765c970c6092fbe0ba00a6af_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
241e21d6765c970c6092fbe0ba00a6af_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
241e21d6765c970c6092fbe0ba00a6af_JC.exe
-
Size
101KB
-
MD5
241e21d6765c970c6092fbe0ba00a6af
-
SHA1
721c1c3ad2214ce099756a44c77579ffcef55b6d
-
SHA256
1debc837add53cd6baf31583a71385eab6aeefc19684549cffe5c539763a0b41
-
SHA512
3f3568d60520fcbe6e9e2ad694bd6a093fd25b7d998fcd7ca3b18c7934de7907c58c63628245b3b76e04cf0da8446ece105a547240ff47e91a9bda2109513be3
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzo:/bfVk29te2jqxCEtg30BLbEE
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
241e21d6765c970c6092fbe0ba00a6af_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 241e21d6765c970c6092fbe0ba00a6af_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 800 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
241e21d6765c970c6092fbe0ba00a6af_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 241e21d6765c970c6092fbe0ba00a6af_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
241e21d6765c970c6092fbe0ba00a6af_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
241e21d6765c970c6092fbe0ba00a6af_JC.execmd.exedescription pid process target process PID 236 wrote to memory of 800 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe AdobeUpdate.exe PID 236 wrote to memory of 800 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe AdobeUpdate.exe PID 236 wrote to memory of 800 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe AdobeUpdate.exe PID 236 wrote to memory of 4964 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe cmd.exe PID 236 wrote to memory of 4964 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe cmd.exe PID 236 wrote to memory of 4964 236 241e21d6765c970c6092fbe0ba00a6af_JC.exe cmd.exe PID 4964 wrote to memory of 1948 4964 cmd.exe PING.EXE PID 4964 wrote to memory of 1948 4964 cmd.exe PING.EXE PID 4964 wrote to memory of 1948 4964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe"C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\241e21d6765c970c6092fbe0ba00a6af_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5ead1cfbdd19983061d7248b1dd5ee7a9
SHA1a9aea225b0e816f7d80e7e5dcdc6059e130ff683
SHA256e12c0df041e4212b906987a8b80fc9f743590bd0c3854a189dfd6e2b7d132286
SHA5126ced7efddd26b7cdc778b2d16b8c227b9765a5653486198d42e46fc00a82c3cf0d31f917d0c030f388586653d103618103699e633cd1d1c04a4576e539e6b37b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5ead1cfbdd19983061d7248b1dd5ee7a9
SHA1a9aea225b0e816f7d80e7e5dcdc6059e130ff683
SHA256e12c0df041e4212b906987a8b80fc9f743590bd0c3854a189dfd6e2b7d132286
SHA5126ced7efddd26b7cdc778b2d16b8c227b9765a5653486198d42e46fc00a82c3cf0d31f917d0c030f388586653d103618103699e633cd1d1c04a4576e539e6b37b